An internal certificate from our AD CS expired and applications complain.
Internal PKI certificates expire silently. RDP, LDAPS, NPS and internal web services break without a clear notice. A solid CA roadmap prevents the surprise.
Try this first
- 1Open Certification Authority on the issuing CA, look at 'Issued Certificates' and sort by expiration. Identify which applications are now broken.
- 2Request renewal via the right template: usually certreq on the target machine, or automatic enrollment via GPO if that should have worked here.
- 3For servers: replace the certificate in the application (IIS, RD Gateway, NPS), rebind and restart the service. Verify with openssl s_client that the chain is correct.
- 4For the CA certificate itself (Root or Issuing): plan well ahead, renew before half its lifetime. Distributing a new CA cert to clients can take weeks.
- 5Set up cert-expiry monitoring going forward (PRTG, Zabbix, or a PowerShell script in a scheduled task), alerting 60 and 30 days in advance.
When to bring us in
With an expired Root CA and multiple subordinates: dig up the original design docs. Often a rebuild with a new Root CA and cross-cert is less painful than a full migration.
See also
- One DC or two DCs for an SMB office?Two is almost always the right answer; one DC is a single point of failure for logon, DNS and GPOs.
- Should I split FSMO roles across two DCs?For a small domain all on one DC is fine; with two DCs splitting is tidier but not required.
- How do I know my AD replication is healthy?Replication errors creep in silently; they only surface when logins or GPOs misbehave.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.